CVE-2022-36851 - OpenCVE

Improper access control vulnerability in Samsung pass prior to version 4.0.03.1 allow physical attackers to access data of Samsung pass on a certain state of an unlocked device.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Samsung	Samsung Pass

Configuration 1 [-]

cpe:2.3:a:samsung:samsung_pass:*:*:*:*:*:android:*:*

References

Link	Resource
https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=09	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Samsung Mobile

Published: 2022-09-09T14:40:05

Updated: 2022-09-16T16:46:03

Reserved: 2022-07-27T00:00:00

Link: CVE-2022-36851

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-09-09T15:15:11.580

Modified: 2022-09-21T20:35:51.127

Link: CVE-2022-36851

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Samsung pass", "vendor": "Samsung Mobile", "versions": [{"lessThan": "4.0.03.1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in Samsung pass prior to version 4.0.03.1 allow physical attackers to access data of Samsung pass on a certain state of an unlocked device."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-16T16:46:03", "orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "Samsung Mobile"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=09"}], "source": {"discovery": "UNKNOWN"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "mobile.security@samsung.com", "ID": "CVE-2022-36851", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Samsung pass", "version": {"version_data": [{"version_affected": "<", "version_name": "", "version_value": "4.0.03.1"}]}}]}, "vendor_name": "Samsung Mobile"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper access control vulnerability in Samsung pass prior to version 4.0.03.1 allow physical attackers to access data of Samsung pass on a certain state of an unlocked device."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=09", "refsource": "MISC", "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=09"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "assignerShortName": "Samsung Mobile", "cveId": "CVE-2022-36851", "datePublished": "2022-09-09T14:40:05", "dateReserved": "2022-07-27T00:00:00", "dateUpdated": "2022-09-16T16:46:03", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samsung:samsung_pass:*:*:*:*:*:android:*:*", "matchCriteriaId": "76250FDA-545C-41F2-A2ED-992EE4AF7BCD", "versionEndExcluding": "4.0.03.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper access control vulnerability in Samsung pass prior to version 4.0.03.1 allow physical attackers to access data of Samsung pass on a certain state of an unlocked device."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inapropiado en Samsung pass versiones anteriores a 4.0.03.1, permite a atacantes f\u00edsicos acceder a los datos de Samsung pass en un determinado estado de un dispositivo desbloqueado"}], "id": "CVE-2022-36851", "lastModified": "2022-09-21T20:35:51.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 3.6, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2022-09-09T15:15:11.580", "references": [{"source": "mobile.security@samsung.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=09"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "mobile.security@samsung.com", "type": "Secondary"}]}